Bugtraq mailing list archives
Weak password protection in WebSphere 4.0.4 XML configuration export
From: "Jan P. Monsch" <jan.monsch () csnc ch>
Date: Tue, 04 Feb 2003 11:21:26 +0100
############################################################# # # COMPASS SECURITY http://www.csnc.ch/ # ############################################################# # # Topic: WebSphere Advanced Server Edition 4.0.4 # Subject: Insufficient Password Protection in # Configuration Export # Author: Jan P. Monsch # Date: February 3, 2003 # ############################################################# Problem: -------- Passwords in WebSphere XML configruation export are not sufficiently protected. If the exported configuration gets into the hands of a malicous user, he or she can deobfuscated passworts easily and can gain access to the password protected resources. Workaround: ----------- Administrators should take care that they export the configuration to an administrator accessible directory only and destroy the export file after use. Vulnerable: ----------- - WebServer Advanced Server 4.0.4 - other versions might be vulnerable as well Not vulnerable: --------------- - Unknown Details: --------WebSphere Advanced Server Edition 4.0.4 offers a management functionality which allows an administrator to export the whole WebSphere configuration as an XML file. The export includes passwords needed for accessing keying material and data sources:
<jdbc-driver action="update" name="Sample DB Driver"> ... <config-properties> <property name="serverName" value=""/> <property name="password" value="{xor}KD4sa28="/> <property name="portNumber" value=""/> <property name="databaseName" value="was40"/> <property name="user" value="was40"/> <property name="disable2Phase" value="true"/> <property name="ifxIFXHOST" value=""/> <property name="URL" value=""/> <property name="informixLockModeWait" value=""/> </config-properties> </data-source>These passwords are obfuscated and Base64Encoded. Those areas obfuacated are marked with the {XOR}-prefix.
The obfuscation algorithm is as follows:- CHARobfuscated(n) = CHARpassword(n) XOR CHAR("_"),where n is the position of the character
- ObfuscatedPasswordBase64Encoded = Base64Encode(ObfuscatedPassword) Deobfuscation process: - ObfuscatedPassword = Base64Decode(ObfuscatedPasswordBase64Encoded) - CHARpassword(n) = CHARobfuscated(n) XOR CHAR("_") Regards Jan -- _____________________________________________________________ Jan P. Monsch Compass Security Network Computing AG, CSNC Tel: +41 55 214 41 67 Fax: +41 55 214 41 61 E-mail: jan.monsch () csnc ch Web site: http://www.csnc.ch/ "Security Review - Penetration Testing" _____________________________________________________________
Current thread:
- Weak password protection in WebSphere 4.0.4 XML configuration export Jan P. Monsch (Feb 04)